A system on a mobile phone for configuring a secure partition in a trusted security zone is provided. The system comprises a processor and a near field communication transceiver. The processor executes virtualization software and comprises a first virtual processor and a second virtual processor, where the second virtual processor comprises the trusted security zone and the secure partition resides in the trusted security zone. The first virtual processor comprises an application which utilizes the secure partition in the trusted security zone. The second virtual processor comprises an application stored in the trusted security zone, where the application couples the near field communication transceiver to the secure partition residing in the trusted security zone and where the application enables run-time execution in the trusted security zone based on the receiving a signal from the near field communication transceiver.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A system on a mobile phone for configuring a secure partition in a trusted security zone, comprising: a processor that executes virtualization software and comprises a first virtual processor and a second virtual processor, wherein the second virtual processor comprises the trusted security zone; a plurality of secure partitions residing in the trusted security zone, wherein the trusted security zone executes a dedicated operation system; a first application stored in the first virtual processor, wherein the first application selects the secure partition from the plurality of secure partitions in the trusted security zone for performing a transaction associated with the first application and sends the selection to a second application stored in the trusted security zone; a near field communication transceiver; the second application stored in the trusted security zone, wherein the second application receives the selection from the first application and in response to receiving the selection, couples the near field communication transceiver to the secure partition residing in the trusted security zone via direct connection to a hardware port associated with the trusted security zone on the processor prior to beginning the transaction, and wherein the second application enables run-time execution in the trusted security zone based on receiving a signal from the near field communication transceiver; and the secure partition residing in the trusted security zone, wherein the secure partition is not directly accessible from the first application.
A mobile phone system configures a secure partition within a trusted security zone using virtualization. The processor runs virtualization software creating a first virtual processor and a second virtual processor, where the second houses the trusted security zone. Multiple secure partitions reside within this zone, managed by a dedicated operating system. An application in the first virtual processor selects a secure partition for a transaction and signals a second application in the trusted security zone. This second application then directly connects the phone's near-field communication (NFC) transceiver to the selected secure partition via a hardware port, enabling runtime execution in the trusted zone triggered by an NFC signal. The first application cannot directly access the secure partition.
2. The system of claim 1 , wherein the first virtual processor and the second virtual processor execute in a time-sliced fashion comprising switching contexts between the two virtual processors to share processor resources.
The mobile phone system described where a secure partition is configured in a trusted security zone using virtualization, and where an application selects a secure partition for a transaction and signals a second application to connect the NFC transceiver to the partition (as described in claim 1), operates using time-slicing. The first and second virtual processors alternate processing time, sharing the processor's resources. This context switching allows both virtual processors to function concurrently.
3. The system of claim 1 , wherein the trusted security zone utilizes security aware components implemented in System on Chip architecture (SoC).
In the mobile phone system described where a secure partition is configured in a trusted security zone using virtualization, and where an application selects a secure partition for a transaction and signals a second application to connect the NFC transceiver to the partition (as described in claim 1), the trusted security zone utilizes security-aware components implemented within a System on Chip (SoC) architecture. This means the hardware itself is designed with security features.
4. The system of claim 1 , wherein the near field communication transceiver is coupled to a hardware port of the processor via the Single Wire Protocol (SWP).
In the mobile phone system described where a secure partition is configured in a trusted security zone using virtualization, and where an application selects a secure partition for a transaction and signals a second application to connect the NFC transceiver to the partition (as described in claim 1), the near-field communication (NFC) transceiver connects to the processor's hardware port using the Single Wire Protocol (SWP). SWP facilitates communication between the NFC transceiver and the secure element.
5. The system of claim 1 , wherein the second application stored in the trusted security zone executes at the ring 0 protection level which provides the most privileges and most direct interaction with the physical hardware.
In the mobile phone system described where a secure partition is configured in a trusted security zone using virtualization, and where an application selects a secure partition for a transaction and signals a second application to connect the NFC transceiver to the partition (as described in claim 1), the second application, residing in the trusted security zone, executes at the "ring 0" protection level. This grants it the highest privileges and direct interaction with the physical hardware of the system.
6. The system of claim 1 , wherein the second application stored in the trusted security zone couples the near field communication transceiver to a second secure partition based on receiving a selection of the second secure partition from the first application stored in the first virtual processor.
In the mobile phone system described where a secure partition is configured in a trusted security zone using virtualization, and where an application selects a secure partition for a transaction and signals a second application to connect the NFC transceiver to the partition (as described in claim 1), the second application in the trusted security zone can connect the near-field communication (NFC) transceiver to a *different* secure partition. This occurs when the first application in the first virtual processor selects this second secure partition.
7. The system of claim 1 , further comprising configuring the secure partition residing in the trusted security zone using Open Mobile Alliance (OMA) standards.
In the mobile phone system described where a secure partition is configured in a trusted security zone using virtualization, and where an application selects a secure partition for a transaction and signals a second application to connect the NFC transceiver to the partition (as described in claim 1), the secure partition within the trusted security zone is configured using Open Mobile Alliance (OMA) standards. OMA standards ensure interoperability and standardized management of secure elements.
8. A method of secure partition configuration in a trusted security zone on a mobile device, comprising: selecting in a first application on a mobile device a secure partition from a plurality of secure partitions concurrently residing in the trusted security zone on the mobile device for performing a transaction associated with the first application and sends the selection to a second application stored in the trusted security zone; sending the selection of the secure partition from the first application to a second application, wherein the second application is stored in the trusted security zone on the mobile device, and wherein the trusted security zone executes a dedicated operating system; in response to receiving the selection from the first application, coupling, by the second application, a near field communication transceiver in the mobile device to the selected secure partition prior to performing the transaction, wherein the secure partition hardware and software reside on a processor of the mobile device in the trusted security zone, wherein the secure partition is not directly accessible from the first application, and wherein the coupling is via direct connection to a hardware port associated with the trusted security zone on the processor; and establishing a wireless link between the near field communication transceiver in the mobile device and an external near field communication device, wherein the wireless link enables communication between the selected secure partition and the external near field communication device.
A method secures transactions on a mobile device by using a trusted security zone. A first application chooses one secure partition from several available in the trusted zone for a transaction and tells a second application, also in the trusted zone. The trusted zone runs a separate OS. The second application then connects the phone's near-field communication (NFC) transceiver directly to the chosen secure partition using a hardware port *before* the transaction starts. The first app can't directly access the secure partition. Finally, a wireless link is established via NFC with an external device enabling secure communication between the partition and the external system.
9. The method of claim 8 , wherein the first application on the mobile device is an electronic wallet application and the selected secure partition contains credentials which may be used for payments, authentication, and other mobile financial services.
The method of secure partition configuration in a trusted security zone (as described in claim 8), involves an electronic wallet application as the first application. The chosen secure partition stores sensitive data like payment credentials, which are used for payments, authentication, or other mobile financial transactions.
10. The method of claim 8 , wherein the trusted security zone runs a separate operating system that is not accessible to the mobile device users.
In the secure partition configuration method (as described in claim 8), the trusted security zone operates with an independent operating system. Critically, this operating system is inaccessible to regular mobile device users, thereby enhancing security.
11. The method of claim 10 , wherein the second application stored in the trusted security zone is installed in random access memory.
In the secure partition configuration method where the trusted security zone runs a separate, inaccessible operating system (as described in claim 10, which builds upon claim 8), the second application stored in the trusted security zone is loaded into Random Access Memory (RAM). This can potentially increase execution speed and security by avoiding persistent storage.
12. The method of claim 8 , wherein the hardware port is monitored by the second application for interfacing with the secure partition.
In the secure partition configuration method (as described in claim 8), the second application monitors the hardware port that is connected to the secure partition. This allows the second application to interface with the secure partition hardware directly.
13. The method of claim 8 , further comprising configuring the plurality of secure partitions residing in the trusted security zone using Open Mobile Alliance (OMA) standards.
The method of secure partition configuration in a trusted security zone (as described in claim 8) configures the secure partitions within the trusted security zone using Open Mobile Alliance (OMA) standards. OMA standards ensure standardized management and interoperability of these secure partitions.
14. The method of claim 8 , wherein the second application enables run-time execution in the trusted security zone based on receiving a signal from the near field communication transceiver.
In the secure partition configuration method (as described in claim 8), the second application enables runtime execution inside the trusted security zone when it receives a signal from the near-field communication (NFC) transceiver. This allows actions to be triggered within the trusted environment by external NFC communications.
15. A system on a mobile phone for configuring a secure partition in a trusted security zone, comprising: a processor that executes virtualization software and comprises a plurality of processing cores, a first virtual processor, and a second virtual processor, wherein the second virtual processor comprises the trusted security zone; a plurality of secure partitions residing in the trusted security zone, wherein the trusted security zone executes a dedicated operation system; an application stored in the first virtual processor, wherein the application selects the secure partition from the plurality of secure partitions in the trusted security zone for performing a transaction associated with the application and sends the selection to a second application stored in the trusted security zone; a near field communication transceiver; and the second application stored in the trusted security zone, wherein the second application receives the selection from the first application and in response to receiving the selection, is coupled to the near field communication transceiver via a first processing core of the plurality of processing cores via direct connection to a hardware port associated with the trusted security zone on the processor prior to beginning the transaction.
A mobile phone system configures a secure partition in a trusted security zone using a multi-core processor. The processor runs virtualization software, creating a first and a second virtual processor; the second hosts the trusted security zone. The trusted security zone runs its own dedicated OS, and contains several secure partitions. An application running on the first virtual processor selects one and tells a second application in the trusted security zone. This second application then connects the phone's NFC to the selected partition. Critically, this connection happens via one specific processing core of the multi-core processor and using a direct connection to a hardware port *before* the transaction begins.
16. The method of claim 15 , wherein only the first processing core of the plurality of processing cores is coupled to the near field communication transceiver.
The system for configuring a secure partition using a multi-core processor (as described in claim 15) only couples *one* dedicated processing core to the near-field communication (NFC) transceiver. Other cores are not directly involved with NFC communication.
17. The method of claim 15 , wherein the first processing core of the plurality of processing cores is coupled to the near field communication transceiver via the Single Wire Protocol (SWP).
In the system for configuring a secure partition with a multi-core processor where only one core connects to NFC (as described in claim 16, building on claim 15), the specific processing core communicates with the near-field communication (NFC) transceiver using the Single Wire Protocol (SWP).
18. The method of claim 15 , wherein the second application in the trusted security zone executes on the first processing core of the plurality of cores.
In the system for configuring a secure partition using a multi-core processor with one core connected to NFC (as described in claim 15), the second application, which resides in the trusted security zone, actually *runs* on the specific processing core that is also connected to the NFC transceiver.
19. The method of claim 18 , wherein the first virtual processor is prevented from executing on the first processing core of the plurality of processing cores when the second application in the trusted security zone is executing.
In the system where the second application runs on the NFC-connected core (as described in claim 18, building on claim 15), the first virtual processor is *prevented* from running on that same core while the second application in the trusted security zone is executing. This prevents the untrusted environment from interfering with secure NFC operations.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
May 3, 2012
August 6, 2013
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.